Solved: include indexTime in output file

efelder0 · ‎05-30-2012

I am looking to include the indexTime in my output file and then append that that field to an existing 'CreateTimeStamp' field. What is the best method to extract indexTime (or recentTime)?

Ayn · ‎05-30-2012

Not sure what your "output file" is, but here goes:

The time an event was indexed is available in the field _indextime. You might have some problems with actually viewing it because it's by default a purely internal field that isn't shown to users. You can however make it visible by eval:ing it:

 ... | eval indextime=_indextime

After that you can just include the indextime field in whatever output you need.

View solution in original post

Ayn · ‎05-30-2012

Not sure what your "output file" is, but here goes:

The time an event was indexed is available in the field _indextime. You might have some problems with actually viewing it because it's by default a purely internal field that isn't shown to users. You can however make it visible by eval:ing it:

 ... | eval indextime=_indextime

After that you can just include the indextime field in whatever output you need.

mslvrstn · ‎08-29-2012

Ayn, I combined this with your other answer
http://splunk-base.splunk.com/answer_link/41401/
about getting readable times, to get
| eval indextime=strftime(_indextime,"%+")

Thanks for both excellent answers!

include indexTime in output file

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!